Dev says $31 million Meerkat Finance exploit was a ‘test’; will return funds


For the victims of one of the biggest DeFi exploits ever, good news may be on the horizon.

Today at 5.30am UTC a developer from Meerkat Finance who identified himself as “Jamboo” posted a short message on a newly created telegram channel, “Meerkatrefunds”. In it, Jamboo said the exploit was an “attempt” that tested the user’s greed and “subjectivity” and that the team was preparing to reimburse all victims.

Jamboo has demonstrated they are connected to meerkats by sending a small transaction from the meerkat provider to demonstrate that they have access to the contract that has been exploited (or communicate with someone who does). The transaction was processed on the Binance Smart Chain network approximately twenty minutes after Jamboo’s telegram mail.

Meerkat was a yield vault project that forked the code of Yearn.Finance – one of many forks of Ethereum-native protocols that populate BSC. The meerkat attack initially took place on March 4th, the day after Meerkat launch, resulting in a loss of 73,000 BNB and $ 14 million in stable BUSD – a total of $ 31 million in user funds.

Community members were quick to refer to the exploit as “rugpull” – a slang term for when an insider or a member of a development team exploited a special permissions contract – because the meerkat provider contract was updated to include the vaults allow to be drained just before the attack.

Some thought the exploit would be a test of Binance Smart Chain’s claim to decentralization. BSC is run by a network of 21 validation nodes, many of which are believed to be linked to Binance or run directly by Binance.

The exploit also put the attacker in a difficult position: Binance controls the entrances and exits to BSC, which means that stolen funds were tied to the chain and could not be realized as profit.

Attention now turns to the meerkat developers and their motivations. Jamboo’s message contained few details and only vague clues as to what led the team to steal $ 31 million from users. Jamboo wrote that the team “invited a third party (hacker) to attack the vulnerability through the verification proxy contract,” and that a full report of the exploit will be released.

According to Jamboo, the theft was a demonstration of the avarice that permeates DeFi.

“DeFi is important, but it has many shortcomings. It is bloomed by human greed. “